search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(_shishi_crypto_init): Fix prototype, from Nicolas Pouvesle
[shishi.git] / lib / tkt.c
blob385ccd6dc1aad426764fe20ef9d35b77292cae20
1 /* tkt.c ticket handling
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include "internal.h"
23
24 struct Shishi_tkt
25 {
26 Shishi *handle;
27 Shishi_asn1 ticket;
28 Shishi_asn1 kdcrep;
29 Shishi_asn1 enckdcreppart;
30 Shishi_asn1 encticketpart;
31 Shishi_key *key;
32 };
33
34 /**
35 * shishi_tkt:
36 * @handle: shishi handle as allocated by shishi_init().
37 * @tkt: output variable with newly allocated ticket.
38 *
39 * Create a new ticket handle.
40 *
41 * Return value: Returns SHISHI_OK iff successful.
42 **/
43 int
44 shishi_tkt (Shishi * handle, Shishi_tkt ** tkt)
45 {
46 Shishi_tkt *t;
47 int res;
48
49 t = xcalloc (1, sizeof (*t));
50
51 t->handle = handle;
52
53 t->ticket = shishi_asn1_ticket (handle);
54 if (t->ticket == NULL)
55 {
56 shishi_error_printf (handle, "Could not create Ticket: %s\n",
57 shishi_error (handle));
58 return SHISHI_ASN1_ERROR;
59 }
60
61 /* XXX what about tgs's? */
62 t->enckdcreppart = shishi_encasreppart (handle);
63 if (t->enckdcreppart == NULL)
64 {
65 shishi_error_printf (handle, "Could not create EncKDCRepPart: %s\n",
66 shishi_error (handle));
67 return SHISHI_ASN1_ERROR;
68 }
69
70 t->encticketpart = shishi_encticketpart (handle);
71 if (t->encticketpart == NULL)
72 {
73 shishi_error_printf (handle, "Could not create EncTicketPart: %s\n",
74 shishi_error (handle));
75 return SHISHI_ASN1_ERROR;
76 }
77
78 res = shishi_encticketpart_transited_set (handle,
79 t->encticketpart,
80 SHISHI_TR_DOMAIN_X500_COMPRESS,
81 "", 0);
82 if (res != SHISHI_OK)
83 return res;
84
85 res = shishi_encticketpart_authtime_set
86 (handle, t->encticketpart, shishi_generalize_time (handle, time (NULL)));
87 if (res != SHISHI_OK)
88 return res;
89
90 res = shishi_encticketpart_endtime_set
91 (handle, t->encticketpart,
92 shishi_generalize_time (handle, time (NULL) + 1000));
93 if (res != SHISHI_OK)
94 return res;
95
96 t->kdcrep = shishi_asrep (handle);
97 if (t->kdcrep == NULL)
98 {
99 shishi_error_printf (handle, "Could not create AS-REP: %s\n",
100 shishi_error (handle));
101 return SHISHI_ASN1_ERROR;
102 }
103
104 *tkt = t;
105
106 return SHISHI_OK;
107 }
108
109 /**
110 * shishi_tkt2:
111 * @handle: shishi handle as allocated by shishi_init().
112 * @ticket: input variable with ticket.
113 * @enckdcreppart: input variable with auxilliary ticket information.
114 * @kdcrep: input variable with KDC-REP ticket information.
115 *
116 * Create a new ticket handle.
117 *
118 * Return value: Returns new ticket handle, or %NULL on error.
119 **/
120 Shishi_tkt *
121 shishi_tkt2 (Shishi * handle,
122 Shishi_asn1 ticket, Shishi_asn1 enckdcreppart,
123 Shishi_asn1 kdcrep)
124 {
125 Shishi_tkt *tkt;
126
127 tkt = xcalloc (1, sizeof (*tkt));
128
129 tkt->handle = handle;
130 tkt->ticket = ticket;
131 tkt->enckdcreppart = enckdcreppart;
132 tkt->kdcrep = kdcrep;
133
134 return tkt;
135 }
136
137 /**
138 * shishi_tkt_done:
139 * @tkt: input variable with ticket info.
140 *
141 * Deallocate resources associated with ticket. The ticket must not
142 * be used again after this call.
143 **/
144 void
145 shishi_tkt_done (Shishi_tkt * tkt)
146 {
147 /* XXX need to always copy key into ticket before we can do
148 XXX this, compare shishi_tkt_key_set().
149 if (tkt->key)
150 shishi_key_done (tkt->key); */
151 free (tkt);
152 }
153
154
155 int
156 shishi_tkt_build (Shishi_tkt * tkt, Shishi_key * key)
157 {
158 int res;
159
160 res = shishi_ticket_add_enc_part (tkt->handle, tkt->ticket,
161 key, tkt->encticketpart);
162 if (res != SHISHI_OK)
163 return res;
164
165 return SHISHI_OK;
166 }
167
168 /**
169 * shishi_tkt_ticket:
170 * @tkt: input variable with ticket info.
171 *
172 * Return value: Returns actual ticket.
173 **/
174 Shishi_asn1
175 shishi_tkt_ticket (Shishi_tkt * tkt)
176 {
177 return tkt->ticket;
178 }
179
180 /**
181 * shishi_tkt_enckdcreppart:
182 * @tkt: input variable with ticket info.
183 *
184 * Return value: Returns auxilliary ticket information.
185 **/
186 Shishi_asn1
187 shishi_tkt_enckdcreppart (Shishi_tkt * tkt)
188 {
189 return tkt->enckdcreppart;
190 }
191
192 /**
193 * shishi_tkt_encticketreppart_set:
194 * @as: structure that holds information about Ticket exchange
195 * @enckdcreppart: EncKDCRepPart to store in Ticket.
196 *
197 * Set the EncKDCRepPart in the Ticket.
198 **/
199 void
200 shishi_tkt_enckdcreppart_set (Shishi_tkt * tkt, Shishi_asn1 enckdcreppart)
201 {
202 if (tkt->enckdcreppart)
203 shishi_asn1_done (tkt->handle, tkt->enckdcreppart);
204 tkt->enckdcreppart = enckdcreppart;
205 }
206
207 /**
208 * shishi_tkt_kdcrep:
209 * @tkt: input variable with ticket info.
210 *
211 * Return value: Returns KDC-REP information.
212 **/
213 Shishi_asn1
214 shishi_tkt_kdcrep (Shishi_tkt * tkt)
215 {
216 return tkt->kdcrep;
217 }
218
219 /**
220 * shishi_tkt_encticketpart:
221 * @tkt: input variable with ticket info.
222 *
223 * Return value: Returns EncTicketPart information.
224 **/
225 Shishi_asn1
226 shishi_tkt_encticketpart (Shishi_tkt * tkt)
227 {
228 return tkt->encticketpart;
229 }
230
231 /**
232 * shishi_tkt_encticketpart_set:
233 * @tkt: input variable with ticket info.
234 * @encticketpart: encticketpart to store in ticket.
235 *
236 * Set the EncTicketPart in the Ticket.
237 **/
238 void
239 shishi_tkt_encticketpart_set (Shishi_tkt * tkt, Shishi_asn1 encticketpart)
240 {
241 if (tkt->encticketpart)
242 shishi_asn1_done (tkt->handle, tkt->encticketpart);
243 tkt->encticketpart = encticketpart;
244 }
245
246 /**
247 * shishi_tkt_key:
248 * @tkt: input variable with ticket info.
249 *
250 * Return value: Returns key extracted from enckdcreppart.
251 **/
252 Shishi_key *
253 shishi_tkt_key (Shishi_tkt * tkt)
254 {
255 if (!tkt->key && tkt->enckdcreppart)
256 {
257 int res;
258
259 res = shishi_enckdcreppart_get_key (tkt->handle,
260 tkt->enckdcreppart, &tkt->key);
261 if (res != SHISHI_OK)
262 return NULL;
263 }
264 else if (!tkt->key && tkt->encticketpart)
265 {
266 int res;
267
268 res = shishi_encticketpart_get_key (tkt->handle,
269 tkt->encticketpart, &tkt->key);
270 if (res != SHISHI_OK)
271 return NULL;
272 }
273
274 return tkt->key;
275 }
276
277 /**
278 * shishi_tkt_key_set:
279 * @tkt: input variable with ticket info.
280 * @key: key to store in ticket.
281 *
282 * Set the key in the EncTicketPart.
283 *
284 * Return value: Returns SHISHI_OK iff successful.
285 **/
286 int
287 shishi_tkt_key_set (Shishi_tkt * tkt, Shishi_key * key)
288 {
289 int res;
290
291 res = shishi_encticketpart_key_set (tkt->handle, tkt->encticketpart, key);
292 if (res != SHISHI_OK)
293 return res;
294
295 res = shishi_enckdcreppart_key_set (tkt->handle, tkt->enckdcreppart, key);
296 if (res != SHISHI_OK)
297 return res;
298
299 tkt->key = key;
300
301 return SHISHI_OK;
302 }
303
304 int
305 shishi_tkt_clientrealm_set (Shishi_tkt * tkt, char *realm, char *client)
306 {
307 int res;
308
309 res = shishi_encticketpart_crealm_set (tkt->handle,
310 tkt->encticketpart, realm);
311 if (res != SHISHI_OK)
312 return res;
313
314 res = shishi_encticketpart_cname_set (tkt->handle,
315 tkt->encticketpart,
316 SHISHI_NT_UNKNOWN, client);
317 if (res != SHISHI_OK)
318 return res;
319
320 return SHISHI_OK;
321 }
322
323 int
324 shishi_tkt_serverrealm_set (Shishi_tkt * tkt, char *realm, char *server)
325 {
326 int res;
327
328 res = shishi_ticket_srealmserver_set (tkt->handle, tkt->ticket,
329 realm, server);
330 if (res != SHISHI_OK)
331 return res;
332
333 res = shishi_enckdcreppart_srealmserver_set
334 (tkt->handle, tkt->enckdcreppart, realm, server);
335 if (res != SHISHI_OK)
336 return res;
337
338 return SHISHI_OK;
339 }
340
341 /**
342 * shishi_tkt_client:
343 * @tkt: input variable with ticket info.
344 * @client: output buffer that holds client name of ticket.
345 * @clientlen: on input, maximum size of output buffer,
346 * on output, actual size of output buffer.
347 *
348 * Return value: Returns client principal of ticket.
349 **/
350 int
351 shishi_tkt_client (Shishi_tkt * tkt, char *client, size_t * clientlen)
352 {
353 return shishi_principal_name_get (tkt->handle, tkt->kdcrep,
354 "cname", client, clientlen);
355 }
356
357 /**
358 * shishi_tkt_client_p:
359 * @tkt: input variable with ticket info.
360 * @client: client name of ticket.
361 *
362 * Determine if ticket is for specified client.
363 *
364 * Return value: Returns non-0 iff ticket is for specified client.
365 **/
366 int
367 shishi_tkt_client_p (Shishi_tkt * tkt, const char *client)
368 {
369 char *buf;
370 size_t buflen;
371 int res;
372
373 buflen = strlen (client) + 1;
374 buf = xmalloc (buflen);
375
376 res = shishi_tkt_client (tkt, buf, &buflen);
377 if (res != SHISHI_OK)
378 {
379 free (buf);
380 return 0;
381 }
382 buf[buflen] = '\0';
383
384 if (strcmp (client, buf) != 0)
385 {
386 free (buf);
387 return 0;
388 }
389
390 free (buf);
391
392 return 1;
393 }
394
395 int
396 shishi_tkt_cnamerealm (Shishi_tkt * tkt,
397 char *cnamerealm, size_t * cnamerealmlen)
398 {
399 return shishi_principal_name_realm_get (tkt->handle,
400 tkt->kdcrep, "cname",
401 tkt->kdcrep, "crealm",
402 cnamerealm, cnamerealmlen);
403 }
404
405 /**
406 * shishi_tkt_cnamerealm_p:
407 * @tkt: input variable with ticket info.
408 * @client: principal name (client name and realm) of ticket.
409 *
410 * Determine if ticket is for specified client principal.
411 *
412 * Return value: Returns non-0 iff ticket is for specified client principal.
413 **/
414 int
415 shishi_tkt_cnamerealm_p (Shishi_tkt * tkt, const char *client)
416 {
417 char *buf;
418 size_t buflen;
419 int res;
420
421 buflen = strlen (client) + 1;
422 buf = xmalloc (buflen);
423
424 res = shishi_tkt_cnamerealm (tkt, buf, &buflen);
425 if (res != SHISHI_OK)
426 {
427 free (buf);
428 return 0;
429 }
430 buf[buflen] = '\0';
431
432 if (strcmp (client, buf) != 0)
433 {
434 free (buf);
435 return 0;
436 }
437
438 free (buf);
439
440 return 1;
441 }
442
443 /**
444 * shishi_tkt_realm:
445 * @tkt: input variable with ticket info.
446 * @realm: pointer to newly allocated character array with realm name.
447 * @realmlen: length of newly allocated character array with realm name.
448 *
449 * Extract realm of server in ticket.
450 *
451 * Return value: Returns SHISHI_OK iff successful.
452 **/
453 int
454 shishi_tkt_realm (Shishi_tkt * tkt, char **realm, size_t * realmlen)
455 {
456 return shishi_ticket_realm_get (tkt->handle, tkt->ticket, realm, realmlen);
457 }
458
459 int
460 shishi_tkt_server (Shishi_tkt * tkt, char *server, size_t * serverlen)
461 {
462 return shishi_ticket_sname_get (tkt->handle, tkt->ticket,
463 server, serverlen);
464 }
465
466 /**
467 * shishi_tkt_server_p:
468 * @tkt: input variable with ticket info.
469 * @server: server name of ticket.
470 *
471 * Determine if ticket is for specified server.
472 *
473 * Return value: Returns non-0 iff ticket is for specified server.
474 **/
475 int
476 shishi_tkt_server_p (Shishi_tkt * tkt, const char *server)
477 {
478 char *buf;
479 size_t buflen;
480 int res;
481
482 buflen = strlen (server) + 1;
483 buf = xmalloc (buflen);
484
485 res = shishi_tkt_server (tkt, buf, &buflen);
486 if (res != SHISHI_OK)
487 {
488 free (buf);
489 return 0;
490 }
491 buf[buflen] = '\0';
492
493 if (strcmp (server, buf) != 0)
494 {
495 free (buf);
496 return 0;
497 }
498
499 free (buf);
500
501 return 1;
502 }
503
504 int
505 shishi_tkt_server_realm (Shishi_tkt * tkt,
506 char *serverrealm, size_t * serverrealmlen)
507 {
508 return shishi_ticket_snamerealm_get (tkt->handle, tkt->ticket,
509 serverrealm, serverrealmlen);
510 }
511
512 /**
513 * shishi_tkt_flags:
514 * @tkt: input variable with ticket info.
515 * @flags: pointer to output integer with flags.
516 *
517 * Extract flags in ticket.
518 *
519 * Return value: Returns SHISHI_OK iff successful.
520 **/
521 int
522 shishi_tkt_flags (Shishi_tkt * tkt, int *flags)
523 {
524 return shishi_asn1_read_bitstring (tkt->handle, tkt->enckdcreppart,
525 "flags", flags);
526 }
527
528 /**
529 * shishi_tkt_flags_set:
530 * @tkt: input variable with ticket info.
531 * @flags: integer with flags to store in ticket.
532 *
533 * Set flags in ticket. Note that this reset any already existing
534 * flags.
535 *
536 * Return value: Returns SHISHI_OK iff successful.
537 **/
538 int
539 shishi_tkt_flags_set (Shishi_tkt * tkt, int flags)
540 {
541 int res;
542
543 res = shishi_encticketpart_flags_set (tkt->handle, tkt->encticketpart,
544 flags);
545 if (res != SHISHI_OK)
546 return res;
547
548 res = shishi_enckdcreppart_flags_set (tkt->handle, tkt->enckdcreppart,
549 flags);
550 if (res != SHISHI_OK)
551 return res;
552
553 return SHISHI_OK;
554 }
555
556 /**
557 * shishi_tkt_forwardable_p:
558 * @tkt: input variable with ticket info.
559 *
560 * Determine if ticket is forwardable.
561 *
562 * The FORWARDABLE flag in a ticket is normally only interpreted by
563 * the ticket-granting service. It can be ignored by application
564 * servers. The FORWARDABLE flag has an interpretation similar to
565 * that of the PROXIABLE flag, except ticket-granting tickets may also
566 * be issued with different network addresses. This flag is reset by
567 * default, but users MAY request that it be set by setting the
568 * FORWARDABLE option in the AS request when they request their
569 * initial ticket-granting ticket.
570 *
571 * Return value: Returns non-0 iff forwardable flag is set in ticket.
572 **/
573 int
574 shishi_tkt_forwardable_p (Shishi_tkt * tkt)
575 {
576 int flags = 0;
577
578 shishi_tkt_flags (tkt, &flags);
579
580 return flags & SHISHI_TICKETFLAGS_FORWARDABLE;
581 }
582
583 /**
584 * shishi_tkt_forwarded_p:
585 * @tkt: input variable with ticket info.
586 *
587 * Determine if ticket is forwarded.
588 *
589 * The FORWARDED flag is set by the TGS when a client presents a
590 * ticket with the FORWARDABLE flag set and requests a forwarded
591 * ticket by specifying the FORWARDED KDC option and supplying a set
592 * of addresses for the new ticket. It is also set in all tickets
593 * issued based on tickets with the FORWARDED flag set. Application
594 * servers may choose to process FORWARDED tickets differently than
595 * non-FORWARDED tickets.
596 *
597 * Return value: Returns non-0 iff forwarded flag is set in ticket.
598 **/
599 int
600 shishi_tkt_forwarded_p (Shishi_tkt * tkt)
601 {
602 int flags = 0;
603
604 shishi_tkt_flags (tkt, &flags);
605
606 return flags & SHISHI_TICKETFLAGS_FORWARDED;
607 }
608
609 /**
610 * shishi_tkt_proxiable_p:
611 * @tkt: input variable with ticket info.
612 *
613 * Determine if ticket is proxiable.
614 *
615 * The PROXIABLE flag in a ticket is normally only interpreted by the
616 * ticket-granting service. It can be ignored by application servers.
617 * When set, this flag tells the ticket-granting server that it is OK
618 * to issue a new ticket (but not a ticket-granting ticket) with a
619 * different network address based on this ticket. This flag is set if
620 * requested by the client on initial authentication. By default, the
621 * client will request that it be set when requesting a
622 * ticket-granting ticket, and reset when requesting any other ticket.
623 *
624 * Return value: Returns non-0 iff proxiable flag is set in ticket.
625 **/
626 int
627 shishi_tkt_proxiable_p (Shishi_tkt * tkt)
628 {
629 int flags = 0;
630
631 shishi_tkt_flags (tkt, &flags);
632
633 return flags & SHISHI_TICKETFLAGS_PROXIABLE;
634 }
635
636 /**
637 * shishi_tkt_proxy_p:
638 * @tkt: input variable with ticket info.
639 *
640 * Determine if ticket is proxy ticket.
641 *
642 * The PROXY flag is set in a ticket by the TGS when it issues a proxy
643 * ticket. Application servers MAY check this flag and at their
644 * option they MAY require additional authentication from the agent
645 * presenting the proxy in order to provide an audit trail.
646 *
647 * Return value: Returns non-0 iff proxy flag is set in ticket.
648 **/
649 int
650 shishi_tkt_proxy_p (Shishi_tkt * tkt)
651 {
652 int flags = 0;
653
654 shishi_tkt_flags (tkt, &flags);
655
656 return flags & SHISHI_TICKETFLAGS_PROXY;
657 }
658
659 /**
660 * shishi_tkt_may_postdate_p:
661 * @tkt: input variable with ticket info.
662 *
663 * Determine if ticket may be used to grant postdated tickets.
664 *
665 * The MAY-POSTDATE flag in a ticket is normally only interpreted by
666 * the ticket-granting service. It can be ignored by application
667 * servers. This flag MUST be set in a ticket-granting ticket in
668 * order to issue a postdated ticket based on the presented ticket. It
669 * is reset by default; it MAY be requested by a client by setting the
670 * ALLOW- POSTDATE option in the KRB_AS_REQ message. This flag does
671 * not allow a client to obtain a postdated ticket-granting ticket;
672 * postdated ticket-granting tickets can only by obtained by
673 * requesting the postdating in the KRB_AS_REQ message. The life
674 * (endtime-starttime) of a postdated ticket will be the remaining
675 * life of the ticket-granting ticket at the time of the request,
676 * unless the RENEWABLE option is also set, in which case it can be
677 * the full life (endtime-starttime) of the ticket-granting
678 * ticket. The KDC MAY limit how far in the future a ticket may be
679 * postdated.
680 *
681 * Return value: Returns non-0 iff may-postdate flag is set in ticket.
682 **/
683 int
684 shishi_tkt_may_postdate_p (Shishi_tkt * tkt)
685 {
686 int flags = 0;
687
688 shishi_tkt_flags (tkt, &flags);
689
690 return flags & SHISHI_TICKETFLAGS_MAY_POSTDATE;
691 }
692
693 /**
694 * shishi_tkt_postdated_p:
695 * @tkt: input variable with ticket info.
696 *
697 * Determine if ticket is postdated.
698 *
699 * The POSTDATED flag indicates that a ticket has been postdated. The
700 * application server can check the authtime field in the ticket to
701 * see when the original authentication occurred. Some services MAY
702 * choose to reject postdated tickets, or they may only accept them
703 * within a certain period after the original authentication. When the
704 * KDC issues a POSTDATED ticket, it will also be marked as INVALID,
705 * so that the application client MUST present the ticket to the KDC
706 * to be validated before use.
707 *
708 * Return value: Returns non-0 iff postdated flag is set in ticket.
709 **/
710 int
711 shishi_tkt_postdated_p (Shishi_tkt * tkt)
712 {
713 int flags = 0;
714
715 shishi_tkt_flags (tkt, &flags);
716
717 return flags & SHISHI_TICKETFLAGS_POSTDATED;
718 }
719
720 /**
721 * shishi_tkt_invalid_p:
722 * @tkt: input variable with ticket info.
723 *
724 * Determine if ticket is invalid.
725 *
726 * The INVALID flag indicates that a ticket is invalid. Application
727 * servers MUST reject tickets which have this flag set. A postdated
728 * ticket will be issued in this form. Invalid tickets MUST be
729 * validated by the KDC before use, by presenting them to the KDC in a
730 * TGS request with the VALIDATE option specified. The KDC will only
731 * validate tickets after their starttime has passed. The validation
732 * is required so that postdated tickets which have been stolen before
733 * their starttime can be rendered permanently invalid (through a
734 * hot-list mechanism).
735 *
736 * Return value: Returns non-0 iff invalid flag is set in ticket.
737 **/
738 int
739 shishi_tkt_invalid_p (Shishi_tkt * tkt)
740 {
741 int flags = 0;
742
743 shishi_tkt_flags (tkt, &flags);
744
745 return flags & SHISHI_TICKETFLAGS_INVALID;
746 }
747
748 /**
749 * shishi_tkt_renewable_p:
750 * @tkt: input variable with ticket info.
751 *
752 * Determine if ticket is renewable.
753 *
754 * The RENEWABLE flag in a ticket is normally only interpreted by the
755 * ticket-granting service (discussed below in section 3.3). It can
756 * usually be ignored by application servers. However, some
757 * particularly careful application servers MAY disallow renewable
758 * tickets.
759 *
760 * Return value: Returns non-0 iff renewable flag is set in ticket.
761 **/
762 int
763 shishi_tkt_renewable_p (Shishi_tkt * tkt)
764 {
765 int flags = 0;
766
767 shishi_tkt_flags (tkt, &flags);
768
769 return flags & SHISHI_TICKETFLAGS_RENEWABLE;
770 }
771
772 /**
773 * shishi_tkt_initial_p:
774 * @tkt: input variable with ticket info.
775 *
776 * Determine if ticket was issued using AS exchange.
777 *
778 * The INITIAL flag indicates that a ticket was issued using the AS
779 * protocol, rather than issued based on a ticket-granting ticket.
780 * Application servers that want to require the demonstrated knowledge
781 * of a client's secret key (e.g. a password-changing program) can
782 * insist that this flag be set in any tickets they accept, and thus
783 * be assured that the client's key was recently presented to the
784 * application client.
785 *
786 * Return value: Returns non-0 iff initial flag is set in ticket.
787 **/
788 int
789 shishi_tkt_initial_p (Shishi_tkt * tkt)
790 {
791 int flags = 0;
792
793 shishi_tkt_flags (tkt, &flags);
794
795 return flags & SHISHI_TICKETFLAGS_INITIAL;
796 }
797
798 /**
799 * shishi_tkt_pre_authent_p:
800 * @tkt: input variable with ticket info.
801 *
802 * Determine if ticket was pre-authenticated.
803 *
804 * The PRE-AUTHENT and HW-AUTHENT flags provide additional information
805 * about the initial authentication, regardless of whether the current
806 * ticket was issued directly (in which case INITIAL will also be set)
807 * or issued on the basis of a ticket-granting ticket (in which case
808 * the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags
809 * are carried forward from the ticket-granting ticket).
810 *
811 * Return value: Returns non-0 iff pre-authent flag is set in ticket.
812 **/
813 int
814 shishi_tkt_pre_authent_p (Shishi_tkt * tkt)
815 {
816 int flags = 0;
817
818 shishi_tkt_flags (tkt, &flags);
819
820 return flags & SHISHI_TICKETFLAGS_PRE_AUTHENT;
821 }
822
823 /**
824 * shishi_tkt_hw_authent_p:
825 * @tkt: input variable with ticket info.
826 *
827 * Determine if ticket is authenticated using a hardware token.
828 *
829 * The PRE-AUTHENT and HW-AUTHENT flags provide additional information
830 * about the initial authentication, regardless of whether the current
831 * ticket was issued directly (in which case INITIAL will also be set)
832 * or issued on the basis of a ticket-granting ticket (in which case
833 * the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags
834 * are carried forward from the ticket-granting ticket).
835 *
836 * Return value: Returns non-0 iff hw-authent flag is set in ticket.
837 **/
838 int
839 shishi_tkt_hw_authent_p (Shishi_tkt * tkt)
840 {
841 int flags = 0;
842
843 shishi_tkt_flags (tkt, &flags);
844
845 return flags & SHISHI_TICKETFLAGS_HW_AUTHENT;
846 }
847
848 /**
849 * shishi_tkt_transited_policy_checked_p:
850 * @tkt: input variable with ticket info.
851 *
852 * Determine if ticket has been policy checked for transit.
853 *
854 * In Kerberos, the application server is ultimately responsible for
855 * accepting or rejecting authentication and SHOULD check that only
856 * suitably trusted KDCs are relied upon to authenticate a principal.
857 * The transited field in the ticket identifies which realms (and thus
858 * which KDCs) were involved in the authentication process and an
859 * application server would normally check this field. If any of these
860 * are untrusted to authenticate the indicated client principal
861 * (probably determined by a realm-based policy), the authentication
862 * attempt MUST be rejected. The presence of trusted KDCs in this list
863 * does not provide any guarantee; an untrusted KDC may have
864 * fabricated the list.
865 *
866 * While the end server ultimately decides whether authentication is
867 * valid, the KDC for the end server's realm MAY apply a realm
868 * specific policy for validating the transited field and accepting
869 * credentials for cross-realm authentication. When the KDC applies
870 * such checks and accepts such cross-realm authentication it will set
871 * the TRANSITED-POLICY-CHECKED flag in the service tickets it issues
872 * based on the cross-realm TGT. A client MAY request that the KDCs
873 * not check the transited field by setting the
874 * DISABLE-TRANSITED-CHECK flag. KDCs are encouraged but not required
875 * to honor this flag.
876 *
877 * Application servers MUST either do the transited-realm checks
878 * themselves, or reject cross-realm tickets without TRANSITED-POLICY-
879 * CHECKED set.
880 *
881 * Return value: Returns non-0 iff transited-policy-checked flag is
882 * set in ticket.
883 **/
884 int
885 shishi_tkt_transited_policy_checked_p (Shishi_tkt * tkt)
886 {
887 int flags = 0;
888
889 shishi_tkt_flags (tkt, &flags);
890
891 return flags & SHISHI_TICKETFLAGS_TRANSITED_POLICY_CHECKED;
892 }
893
894 /**
895 * shishi_tkt_ok_as_delegate_p:
896 * @tkt: input variable with ticket info.
897 *
898 * Determine if ticket is ok as delegated ticket.
899 *
900 * The copy of the ticket flags in the encrypted part of the KDC reply
901 * may have the OK-AS-DELEGATE flag set to indicates to the client
902 * that the server specified in the ticket has been determined by
903 * policy of the realm to be a suitable recipient of delegation. A
904 * client can use the presence of this flag to help it make a decision
905 * whether to delegate credentials (either grant a proxy or a
906 * forwarded ticket- granting ticket) to this server. It is
907 * acceptable to ignore the value of this flag. When setting this
908 * flag, an administrator should consider the security and placement
909 * of the server on which the service will run, as well as whether the
910 * service requires the use of delegated credentials.
911 *
912 * Return value: Returns non-0 iff ok-as-delegate flag is set in ticket.
913 **/
914 int
915 shishi_tkt_ok_as_delegate_p (Shishi_tkt * tkt)
916 {
917 int flags = 0;
918
919 shishi_tkt_flags (tkt, &flags);
920
921 return flags & SHISHI_TICKETFLAGS_OK_AS_DELEGATE;
922 }
923
924 /**
925 * shishi_tkt_keytype:
926 * @tkt: input variable with ticket info.
927 * @etype: pointer to encryption type that is set, see Shishi_etype.
928 *
929 * Extract encryption type of key in ticket (really EncKDCRepPart).
930 *
931 * Return value: Returns SHISHI_OK iff successful.
932 **/
933 int
934 shishi_tkt_keytype (Shishi_tkt * tkt, int32_t * etype)
935 {
936 return shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
937 "key.keytype", etype);
938 }
939
940 /**
941 * shishi_tkt_keytype_p:
942 * @tkt: input variable with ticket info.
943 * @etype: encryption type, see Shishi_etype.
944 *
945 * Determine if key in ticket (really EncKDCRepPart) is of specified
946 * key type (really encryption type).
947 *
948 * Return value: Returns non-0 iff key in ticket is of specified
949 * encryption type.
950 **/
951 int
952 shishi_tkt_keytype_p (Shishi_tkt * tkt, int32_t etype)
953 {
954 int32_t tktetype;
955 int rc;
956
957 rc = shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
958 "key.keytype", &tktetype);
959 if (rc != SHISHI_OK)
960 return 0;
961
962 return etype == tktetype;
963 }
964
965 int
966 shishi_tkt_lastreq (Shishi_tkt * tkt,
967 char *lrtime, size_t * lrtimelen, int lrtype)
968 {
969 char *format;
970 int tmplrtype;
971 int res;
972 int i, n;
973
974 res = shishi_asn1_number_of_elements (tkt->handle, tkt->enckdcreppart,
975 "last-req", &n);
976 if (res != SHISHI_OK)
977 return res;
978
979 for (i = 1; i <= n; i++)
980 {
981 asprintf (&format, "last-req.?%d.lr-type", i);
982 res = shishi_asn1_read_integer (tkt->handle, tkt->enckdcreppart,
983 format, &tmplrtype);
984 free (format);
985 if (res != SHISHI_OK)
986 return SHISHI_ASN1_ERROR;
987
988 if (lrtype == tmplrtype)
989 {
990 asprintf (&format, "last-req.?%d.lr-value", i);
991 res = shishi_asn1_read (tkt->handle, tkt->enckdcreppart,
992 format, lrtime, lrtimelen);
993 free (format);
994 if (res != SHISHI_OK)
995 return SHISHI_ASN1_ERROR;
996
997 return SHISHI_OK;
998 }
999 }
1000
1001 return !SHISHI_OK;
1002 }
1003
1004 /**
1005 * shishi_tkt_lastreqc:
1006 * @tkt: input variable with ticket info.
1007 * @lrtype: lastreq type to extract, see Shishi_lrtype. E.g.,
1008 * SHISHI_LRTYPE_LAST_REQUEST.
1009 *
1010 * Extract C time corresponding to given lastreq type field in the
1011 * ticket.
1012 *
1013 * Return value: Returns C time interpretation of the specified
1014 * lastreq field, or (time_t) -1.
1015 **/
1016 time_t
1017 shishi_tkt_lastreqc (Shishi_tkt * tkt, Shishi_lrtype lrtype)
1018 {
1019 char lrtime[GENERALIZEDTIME_TIME_LEN + 1];
1020 size_t lrtimelen;
1021 time_t t;
1022 int res;
1023
1024 lrtimelen = sizeof (lrtime);
1025 res = shishi_tkt_lastreq (tkt, lrtime, &lrtimelen, lrtype);
1026 if (res != SHISHI_OK)
1027 return (time_t) - 1;
1028
1029 lrtime[GENERALIZEDTIME_TIME_LEN] = '\0';
1030
1031 t = shishi_generalize_ctime (tkt->handle, lrtime);
1032
1033 return t;
1034 }
1035
1036
1037 int
1038 shishi_tkt_authtime (Shishi_tkt * tkt, char *authtime, size_t * authtimelen)
1039 {
1040 return shishi_asn1_read (tkt->handle, tkt->enckdcreppart, "authtime",
1041 authtime, authtimelen);
1042 }
1043
1044 /**
1045 * shishi_tkt_authctime:
1046 * @tkt: input variable with ticket info.
1047 *
1048 * Extract C time corresponding to the authtime field. The field
1049 * holds the time when the original authentication took place that
1050 * later resulted in this ticket.
1051 *
1052 * Return value: Returns C time interpretation of the endtime in ticket.
1053 **/
1054 time_t
1055 shishi_tkt_authctime (Shishi_tkt * tkt)
1056 {
1057 char authtime[GENERALIZEDTIME_TIME_LEN + 1];
1058 size_t authtimelen;
1059 time_t t;
1060 int res;
1061
1062 authtimelen = sizeof (authtime);
1063 res = shishi_tkt_authtime (tkt, authtime, &authtimelen);
1064 if (res != SHISHI_OK)
1065 return (time_t) - 1;
1066
1067 authtime[GENERALIZEDTIME_TIME_LEN] = '\0';
1068
1069 t = shishi_generalize_ctime (tkt->handle, authtime);
1070
1071 return t;
1072 }
1073
1074 int
1075 shishi_tkt_starttime (Shishi_tkt * tkt, char *starttime,
1076 size_t * starttimelen)
1077 {
1078 return shishi_asn1_read_optional (tkt->handle, tkt->enckdcreppart,
1079 "starttime", starttime, starttimelen);
1080 }
1081
1082 /**
1083 * shishi_tkt_startctime:
1084 * @tkt: input variable with ticket info.
1085 *
1086 * Extract C time corresponding to the starttime field. The field
1087 * holds the time where the ticket start to be valid (typically in the
1088 * past).
1089 *
1090 * Return value: Returns C time interpretation of the endtime in ticket.
1091 **/
1092 time_t
1093 shishi_tkt_startctime (Shishi_tkt * tkt)
1094 {
1095 char starttime[GENERALIZEDTIME_TIME_LEN + 1];
1096 int starttimelen;
1097 time_t t;
1098 int res;
1099
1100 starttimelen = sizeof (starttime);
1101 res = shishi_tkt_starttime (tkt, starttime, &starttimelen);
1102 if (res != SHISHI_OK || starttimelen == 0)
1103 return (time_t) - 1;
1104
1105 starttime[GENERALIZEDTIME_TIME_LEN] = '\0';
1106
1107 t = shishi_generalize_ctime (tkt->handle, starttime);
1108
1109 return t;
1110 }
1111
1112 int
1113 shishi_tkt_endtime (Shishi_tkt * tkt, char *endtime, size_t * endtimelen)
1114 {
1115 return shishi_asn1_read (tkt->handle, tkt->enckdcreppart, "endtime",
1116 endtime, endtimelen);
1117 }
1118
1119 /**
1120 * shishi_tkt_endctime:
1121 * @tkt: input variable with ticket info.
1122 *
1123 * Extract C time corresponding to the endtime field. The field holds
1124 * the time where the ticket stop being valid.
1125 *
1126 * Return value: Returns C time interpretation of the endtime in ticket.
1127 **/
1128 time_t
1129 shishi_tkt_endctime (Shishi_tkt * tkt)
1130 {
1131 char endtime[GENERALIZEDTIME_TIME_LEN + 1];
1132 size_t endtimelen;
1133 time_t t;
1134 int res;
1135
1136 endtimelen = sizeof (endtime);
1137 res = shishi_tkt_endtime (tkt, endtime, &endtimelen);
1138 if (res != SHISHI_OK)
1139 return (time_t) - 1;
1140
1141 endtime[GENERALIZEDTIME_TIME_LEN] = '\0';
1142
1143 t = shishi_generalize_ctime (tkt->handle, endtime);
1144
1145 return t;
1146 }
1147
1148 int
1149 shishi_tkt_renew_till (Shishi_tkt * tkt, char *renewtill,
1150 size_t * renewtilllen)
1151 {
1152 return shishi_asn1_read_optional (tkt->handle, tkt->enckdcreppart,
1153 "renew-till", renewtill, renewtilllen);
1154 }
1155
1156 /**
1157 * shishi_tkt_renew_tillc:
1158 * @tkt: input variable with ticket info.
1159 *
1160 * Extract C time corresponding to the renew-till field. The field
1161 * holds the time where the ticket stop being valid for renewal.
1162 *
1163 * Return value: Returns C time interpretation of the renew-till in ticket.
1164 **/
1165 time_t
1166 shishi_tkt_renew_tillc (Shishi_tkt * tkt)
1167 {
1168 char renewtill[GENERALIZEDTIME_TIME_LEN + 1];
1169 size_t renewtilllen;
1170 time_t t;
1171 int res;
1172
1173 renewtilllen = sizeof (renewtill);
1174 res = shishi_tkt_renew_till (tkt, renewtill, &renewtilllen);
1175 if (res != SHISHI_OK || renewtilllen == 0)
1176 return (time_t) - 1;
1177
1178 renewtill[GENERALIZEDTIME_TIME_LEN] = '\0';
1179
1180 t = shishi_generalize_ctime (tkt->handle, renewtill);
1181
1182 return t;
1183 }
1184
1185 /**
1186 * shishi_tkt_valid_at_time_p:
1187 * @tkt: input variable with ticket info.
1188 * @now: time to check for.
1189 *
1190 * Determine if ticket is valid at a specific point in time.
1191 *
1192 * Return value: Returns non-0 iff ticket is valid (not expired and
1193 * after starttime) at specified time.
1194 **/
1195 int
1196 shishi_tkt_valid_at_time_p (Shishi_tkt * tkt, time_t now)
1197 {
1198 time_t starttime, endtime;
1199
1200 starttime = shishi_tkt_startctime (tkt);
1201 if (starttime == (time_t) - 1)
1202 starttime = shishi_tkt_authctime (tkt);
1203 endtime = shishi_tkt_endctime (tkt);
1204
1205 return starttime <= now && now <= endtime;
1206 }
1207
1208 /**
1209 * shishi_tkt_valid_now_p:
1210 * @tkt: input variable with ticket info.
1211 *
1212 * Determine if ticket is valid now.
1213 *
1214 * Return value: Returns 0 iff ticket is invalid (expired or not yet
1215 * valid).
1216 **/
1217 int
1218 shishi_tkt_valid_now_p (Shishi_tkt * tkt)
1219 {
1220 return shishi_tkt_valid_at_time_p (tkt, time (NULL));
1221 }
1222
1223 /**
1224 * shishi_tkt_lastreq_pretty_print:
1225 * @tkt: input variable with ticket info.
1226 * @fh: file handle open for writing.
1227 *
1228 * Print a human readable representation of the various lastreq fields
1229 * in the ticket (really EncKDCRepPart).
1230 **/
1231 void
1232 shishi_tkt_lastreq_pretty_print (Shishi_tkt * tkt, FILE * fh)
1233 {
1234 time_t t;
1235
1236 t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_INITIAL_TGT_REQUEST);
1237 if (t != (time_t) - 1)
1238 fprintf (fh, _("Time of last initial request for a TGT:\t%s"),
1239 ctime (&t));
1240
1241 t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_INITIAL_REQUEST);
1242 if (t != (time_t) - 1)
1243 fprintf (fh, "Time of last initial request:\t%s", ctime (&t));
1244
1245 t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_NEWEST_TGT_ISSUE);
1246 if (t != (time_t) - 1)
1247 fprintf (fh,
1248 "Time of issue for the newest ticket-granting ticket used:\t%s",
1249 ctime (&t));
1250
1251 t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_RENEWAL);
1252 if (t != (time_t) - 1)
1253 fprintf (fh, "Time of the last renewal:\t%s", ctime (&t));
1254
1255 t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_REQUEST);
1256 if (t != (time_t) - 1)
1257 fprintf (fh, "Time of last request:\t%s", ctime (&t));
1258 }
1259
1260 /**
1261 * shishi_tkt_pretty_print:
1262 * @tkt: input variable with ticket info.
1263 * @fh: file handle open for writing.
1264 *
1265 * Print a human readable representation of a ticket to file handle.
1266 **/
1267 void
1268 shishi_tkt_pretty_print (Shishi_tkt * tkt, FILE * fh)
1269 {
1270 char buf[BUFSIZ];
1271 char *p;
1272 size_t buflen;
1273 int keytype, etype, flags;
1274 int res;
1275 time_t t;
1276
1277 buflen = sizeof (buf);
1278 buf[0] = '\0';
1279 res = shishi_tkt_cnamerealm (tkt, buf, &buflen);
1280 buf[buflen] = '\0';
1281 fprintf (fh, "%s:\n", buf);
1282
1283 t = shishi_tkt_authctime (tkt);
1284 fprintf (fh, _("Authtime:\t%s"), ctime (&t));
1285
1286 t = shishi_tkt_startctime (tkt);
1287 if (t != (time_t) - 1)
1288 fprintf (fh, _("Starttime:\t%s"), ctime (&t));
1289
1290 t = shishi_tkt_endctime (tkt);
1291 p = ctime (&t);
1292 p[strlen (p) - 1] = '\0';
1293 fprintf (fh, _("Endtime:\t%s"), p);
1294 if (!shishi_tkt_valid_now_p (tkt))
1295 fprintf (fh, " (EXPIRED)");
1296 fprintf (fh, "\n");
1297
1298 t = shishi_tkt_renew_tillc (tkt);
1299 if (t != (time_t) - 1)
1300 fprintf (fh, _("Renewable till:\t%s"), ctime (&t));
1301
1302 buflen = sizeof (buf);
1303 buf[0] = '\0';
1304 res = shishi_tkt_server (tkt, buf, &buflen);
1305 buf[buflen] = '\0';
1306 res = shishi_ticket_get_enc_part_etype (tkt->handle, tkt->ticket, &keytype);
1307 fprintf (fh, _("Server:\t\t%s key %s (%d)\n"), buf,
1308 shishi_cipher_name (keytype), keytype);
1309
1310 res = shishi_tkt_keytype (tkt, &keytype);
1311 res = shishi_kdcrep_get_enc_part_etype (tkt->handle, tkt->kdcrep, &etype);
1312 fprintf (fh, _("Ticket key:\t%s (%d) protected by %s (%d)\n"),
1313 shishi_cipher_name (keytype), keytype,
1314 shishi_cipher_name (etype), etype);
1315
1316
1317 res = shishi_tkt_flags (tkt, &flags);
1318 if (flags)
1319 {
1320 fprintf (fh, _("Ticket flags:\t"));
1321 if (shishi_tkt_forwardable_p (tkt))
1322 fprintf (fh, "FORWARDABLE ");
1323 if (shishi_tkt_forwarded_p (tkt))
1324 fprintf (fh, "FORWARDED ");
1325 if (shishi_tkt_proxiable_p (tkt))
1326 fprintf (fh, "PROXIABLE ");
1327 if (shishi_tkt_proxy_p (tkt))
1328 fprintf (fh, "PROXY ");
1329 if (shishi_tkt_may_postdate_p (tkt))
1330 fprintf (fh, "MAYPOSTDATE ");
1331 if (shishi_tkt_postdated_p (tkt))
1332 fprintf (fh, "POSTDATED ");
1333 if (shishi_tkt_invalid_p (tkt))
1334 fprintf (fh, "INVALID ");
1335 if (shishi_tkt_renewable_p (tkt))
1336 fprintf (fh, "RENEWABLE ");
1337 if (shishi_tkt_initial_p (tkt))
1338 fprintf (fh, "INITIAL ");
1339 if (shishi_tkt_pre_authent_p (tkt))
1340 fprintf (fh, "PREAUTHENT ");
1341 if (shishi_tkt_hw_authent_p (tkt))
1342 fprintf (fh, "HWAUTHENT ");
1343 if (shishi_tkt_transited_policy_checked_p (tkt))
1344 fprintf (fh, "TRANSITEDPOLICYCHECKED ");
1345 if (shishi_tkt_ok_as_delegate_p (tkt))
1346 fprintf (fh, "OKASDELEGATE ");
1347 fprintf (fh, "(%d)\n", flags);
1348 }
1349 }
1350
1351 int
1352 shishi_tkt_decrypt (Shishi_tkt * tkt, Shishi_key * key)
1353 {
1354 int rc;
1355 Shishi_asn1 encticketpart;
1356
1357 rc = shishi_ticket_decrypt (tkt->handle, tkt->ticket, key, &encticketpart);
1358 if (rc != SHISHI_OK)
1359 return rc;
1360
1361 tkt->encticketpart = encticketpart;
1362
1363 return SHISHI_OK;
1364 }
Free Kerberos V5 implementation